Friday, March 27, 2015

Cisco researchers have found a new breed of PoS malware, called “PoSeidon.” The new malware is built on top of the Zeus exploit kit and is an improved version of BlackPOS which was used in the 2013 Target breach. PoSeidon contains a loader that maintains persistence on infected boxes to survive reboots and user log-outs.

NJRat is making a comeback according to researchers at PhishMe. The malware is being delivered via email and contains a link to file stored on eDisk called “NSFW_Car_Changer.exe” which contains the malware. The executable is compiled with .NET 4.0 making it harder to decode than malware written in C/C++

Researchers from the Cyber Security Research Center at Israel’s Ben-Gurion University have shown that two air-gapped systems can be breached using heat and their built-in thermal sensors. The method, being called BitWhisper, is the first time researchers have been able to establish a bi-directional communication channel between two air-gapped systems.

Roughly half of all Android handsets are vulnerable to the “Android installer hijacking” vulnerability which allows hackers to replace seemingly benign apps with malicious ones that steal passwords and other sensitive data. The vulnerability only works when apps are being downloaded from third-party app stores or when a user clicks on an app promotion advertisement hosted by a mobile advertisement library.

Zero-day vulnerabilities rose from 14 in 2013 to 25 in 2014 according to Secunia. Flaws in Web browser software increased from 728 in 2013 to 1,035 in 2014. However, vendors are fixing the flaws faster with over 83 percent of the 15,435 vulnerabilities found in 2014 had a patch available by the time the flaw was publicly disclosed compared with 78.5 percent in 2013.

Wednesday, March 25, 2015

Last week, a US District Court initially approved a $10M settlement in a class action suit against Target for the Christmas 2013 hack that compromised millions of credit cards and the personal privacy information of 60 million customers. The impact of this settlement will be felt far beyond the $10M in damages provided by the settlement. In fact, the dollar value of the settlement pales in comparison to the incident response costs and fines assessed by the credit card issuers and government regulatory organizations (FTC, state attorney generals, etc.). Target had also taken action to comply with some of the requirements of the class action months ago when they established a CISO position and filled it last June.

One of the provisions of the settlement is extremely unusual and possibly unprecedented: allowing for payment of damages without documentation. Most settlements like this require individuals to provide proof of their losses. In this case, damages of up to $10,000 will first be paid to individuals who provide proof but then, the rest of the settlement funds will be divided among consumers who claim they suffered a loss, even if they don't have documentation.

An attorney for Target customers, Vincent Esades, said after the hearing that the settlement could end up costing Target substantially more than the $10M direct cap on settlements to the claimants. The total cost including attorneys’ fees and administrative costs could likely reach $25M.

Tuesday, March 24, 2015

As you may have heard, this year RSA Conference has launched a crowdsourced speaking track, in short RSA has opened a number of speaking abstract up for a vote and the top 25 will have a shot at being included at the conference. Voting will be open until April 2 with the RSA program committee narrowing down the final 12 winners by April 9.

I’m honored, that my proposed session, “How-To: Aggressive Remediation in an APT World” is included in the voting pool and wanted to give our readers a preview of what my session would entail. Don’t worry, if you’re too busy to read the blog but trust that it’s a good session you can skip ahead and vote here.

The breaches we investigate reveal that APT hackers are often embedded for months or years before discovery and remediation is not as simple as ending the attack and fixing vulnerabilities. In order to address these advanced attacks, security staff needs to take an aggressive stance during incident response and focus not only containment but eradication of the threat.

When you break it down, any incident response program has three equally important parts:

Friday, March 20, 2015

As part of a settlement deal, Target will set aside $10 million to fund claims made by individuals who can prove they suffered financial losses as a result of the data breach at Target in 2013. Each individual is eligible for up to $10,000 in damages. As part of the settlement, Target will also take steps to minimize the risk of a similar breach in the future.

Premera announced a data breach that could impact more than 11 million people on March 17. Hackers may have had access to birth dates, member ID numbers, bank account info, social security numbers, medical claim records and clinical information. The investigation has not determined that any data has been removed but the breach began on May 5, 2014 and wasn’t discovered until January 29, 2015.

A hacker has threatened to share sensitive data belonging to South Korea’s power plants with other countries if a ransom is not paid. The attacker shared some information via Twitter on March 19 but the South Korean state-run Korea Hyrdro & Nuclear Power Co. believes it didn’t contain any sensitive information.

42 amateur cyber defenders took part in a cyber-terrorist attack simulation organized by the Cyber Security Challenge UK. The competition is in its fifth year and aims to plug the skills shortage currently affecting governments and UK businesses. Over the course of two days, the amateur cyber defenders were tasked with finding vulnerabilities and flaws placed in an operating system and regain control of a weapons system among other tasks.

OpenSSl released versions 1.0.1a, 1.01m, 1.0.0r and 0.98zf on March 19 to address 12 flaws, one of which was classified as high severity. The most serious vulnerability, CVE-2015-0291, can lead to denial-of-service attacks. This vulnerability only affects the 1.0.2 branch of OpenSSL.

Friday, March 13, 2015

Adobe has released new versions of its Flash Player to address 11 vulnerabilities. Windows and Macintosh users can update Flash Player to version 17.0.0.134 and Linux users can update to version 11.2.202.451 for the latest versions. The update fixes issues in memory corruption, type confusion, integer overflow and use-after-free flaws.

Researchers at Google successfully exploited the previously theoretical attack technique known as “Rowhammer” where data written to a row of memory cells can flip a bit in an adjacent row to undermine security. The technique takes advantage of the physics of DRAM. The Google researchers found that 15 of the 29 laptops tested were vulnerable to the attack.

Point-of-sale system manufacture, NEXTEP is investigating a possible data breach at the northern U.S. and Canadian, soup restaurant, Zoup! The breach was discovered after law enforcement notified NEXTEP about a pattern on fraudulent use of credit cards used at various Zoup! franchise locations. NEXTEP has found security issues in its PoS devices but the problem does not appear to affect all of its customers.

Microsoft announced that a group clean-up effort between itself, Lenovo and other software makers has reduced the number of Lenovo PCs infected with the Superfish adware to below 1,000. This is a drop from 60,000 on February 21.

Microsoft issued a patch for a critical vulnerability that enabled the Stuxnet attack in 2010. Microsoft had originally issued a patch for the vulnerability known as CVE-2010-2568 in 2010 but researchers discovered it was not complete and the underlying vulnerability remained until the patch issued on March 10.

ICYMI Threat Geek Post of the Week: Tales from the Field: Responding to a Critical Infrastructure Breach by Pat Brooks

Want to keep up with Cyber Scoop throughout the week? Follow us on Twitter@FidSecSys and don’t forget to share articles you think should be in next week’s Scoop using #CyberScoop!

Friday, March 06, 2015

Mandarin Oriental Hotel Group has confirmed its hotels have been affected by a credit card breach. According to a Mandarin Oriental statement, the “credit card systems in an isolated number” of hotels in the US and Europe were breached. Banking industry sources told Brian Krebs that most if not all Mandarin hotels in the US were impacted including locations in Boston, Florida, Las Vegas, Miami, New York and Washington, D.C. The breach reportedly began in December 2014.

A vulnerability known as FREAK, or “Factoring attack on RSA-EXPORT Keys” has been found to affect SSL and TLS technology. The flaw allows a man-in-the-middle attack to downgrade encryption to a weaker 512-bit key instead of today’s standard 2048-bit keys. Vulnerable devices include Android, iOS and OS X operating systems. Most Windows and Linux devices are not vulnerable.

Uber announced on February 27 that one of its databases was breached, putting up to 50,000 former and current Uber drivers’ personal information at risk. The database contained the names and driver’s license numbers of Uber drivers across multiple states. The breach was first discovered on September 17, 2014 but was believed to be a onetime incident that took place on May 13, 2014.

D-Link is releasing firmware updates for a numbers of its routers to identify vulnerabilities that can be exploited to load malicious code, permit command injection and disclose information about device configuration to attackers. The affected products are DIR-626L, DIR-636L, DIR808L, DIR810L, DIR-820L, DIR-826L, DIR-830L and DIR-836L.

Thursday, March 05, 2015

OK, now that you will have that song in your head all day (you’re welcome) I think I have your attention! Unfortunately, we need to move on to more serious matters. There is a lot of panic today surrounding a security bug labeled FREAK. As is the case with any big news item, you can find various reports and technical details by simply typing FREAK into your favorite search engine. I’ve pulled together some highlights and helpful resources for this latest vulnerability here.

Reports started popping up on Tuesday identifying a flaw in the negotiation mechanism used to determine the security of your connections. Today, stronger encryption protocols are the standard, but weaker versions are still around due to an abandoned government policy. Essentially this flaw enables an attacker to force your connection to accept a less secure ciphersuite via a man-in-the-middle style (MITM) attack. I think it goes without saying that this is bad.

Friday, February 27, 2015

Researchers have discovered five new vulnerabilities in SAP BusinessObjects and SAP HANA, three of them high-risk. All three of the high-risk vulnerabilities are in BusinessObjects, they allow unauthenticated attackers to remotely retrieve business data, access and delete auditing information remotely and touch the system without detection, and to remotely access and overwrite business data.

Researchers have discovered that PrivDog, Comodo’s advertising replacement software mishandles HTTPS connections by using replacing self-signed certificates with its locally installed root certificate. The issue is only found in versions that are directly downloaded from the PrivDog website and not pre-bundled versions with Comodo’s software.

The main website of PC maker, Lenovo was defaced by hackers on February 25. The defacement comes days after it emerged Lenovo had pre-installed adware designed by Superfish that allowed hackers to launch man-in-the-middle attacks. Lizard Squad claimed responsibility for the defacement.

British, Dutch, German and Italian police have claimed they disrupted Ramnit, one of the world’s biggest botnets. The Ramnit malware sought to steal victims banking login data and is believed to have infected up 3.2 million Windows PCs. It is currently found on up to 350,000 compromised machines. The command and control centers have been shut down, cutting the botnet off from its creators.

A new study shows the cost of medical identity theft increased by 21.7 percent in 2014, costing an average of $13,450 per victim. Due to the healthcare industry’s lagging fraud detection, 65 percent of victims had to pay to resolve the issues themselves.

Want to keep up with Cyber Scoop throughout the week? Follow us on Twitter@FidSecSys and don’t forget to share articles you think should be in next week’s Scoop using #CyberScoop!